Oswaldo Hernandez avatar Oswaldo Hernandez committed 92f43e6

Protect loading of DefaultConfiguration against XML vulnerabilities by:
- Enabling secure processing feature in the xml parser. This will place limits so xml entities are not expanded recursively and exhaust memory.
- Not resolving external references to unknown xml entities by switching of the "http://xml.org/sax/features/external-general-entities"
and "http://xml.org/sax/features/external-parameter-entities" features and disabling loading of external dtds.
- Ensure we build a non-validating parser.

Comments (0)

Files changed (1)

src/java/com/opensymphony/workflow/config/DefaultConfiguration.java

 import com.opensymphony.workflow.FactoryException;
 import com.opensymphony.workflow.StoreException;
 import com.opensymphony.workflow.loader.*;
-import com.opensymphony.workflow.loader.ClassLoaderUtil;
 import com.opensymphony.workflow.spi.WorkflowStore;
 import com.opensymphony.workflow.util.DefaultVariableResolver;
 import com.opensymphony.workflow.util.VariableResolver;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 
-import org.w3c.dom.*;
-
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.InputStream;
 import java.io.Serializable;
-
 import java.net.URL;
-
-import java.util.*;
-
-import javax.xml.parsers.*;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
 
 
 /**
         }
 
         try {
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setNamespaceAware(true);
+            dbf.setValidating(false);
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd", Boolean.FALSE);
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 
             DocumentBuilder db;
 
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.